Using PSRule with Bicep parameter file, no rules processed as expected #2678

BenjaminEngeset · 2024-02-07T08:12:56Z

BenjaminEngeset
Feb 7, 2024

Do you see what kind of configuration mistake that has been done here?

Action:

# Run Well-Architected Framework to validate the content of the Bicep deployment file.
- name: Validate deployment with Well-Architected Framework
  uses: microsoft/ps-rule@main
  with:
    inputType: inputPath
    inputPath: ${{ inputs.workingDirectory }}/parameters/main.${{ inputs.environment }}.bicepparam
    modules: PSRule.Rules.Azure
    baseline: Azure.All
    outputFormat: Sarif
    outputPath: reports/ps-rule-results.sarif
    summary: true

Configuration file:

#
# PSRule for Azure configuration
#

# Please see the documentation for all configuration options:
# https://aka.ms/ps-rule-azure

# Use rules from the following modules/
include:
  module:
    - "PSRule.Rules.Azure"

# Require a minimum version of modules that include referenced baseline.
requires:
  PSRule: "@pre >=2.9.0"
  PSRule.Rules.Azure: "@pre >=1.33.0"

output:
  culture:
    - "en-US"

execution:
  # Ignore warnings for resources and objects that don't have any rules.
  unprocessedObject: Ignore

configuration:
  # Enable expansion for Bicep source files.
  AZURE_BICEP_FILE_EXPANSION: true

  # Set the Bicep parameter expansion configuration option to enable expansion of Azure Bicep parameter files (.bicepparam).
  AZURE_BICEP_PARAMS_FILE_EXPANSION: true

  # Set timeout for expanding Bicep source files.
  AZURE_BICEP_FILE_EXPANSION_TIMEOUT: 30

  # The default AZURE_SUBSCRIPTION configuration option.
  AZURE_SUBSCRIPTION:
    displayName: x-platform-001

# This option is used for specify the base branch for pull requests.
# When evaluating changes files only PSRule uses this option for comparison with the current branch.
repository:
  baseRef: main

input:
  # By default, objects read from file using inputPath will be skipped if the file path has been ignored.
  # When set to true, additionally objects with a source path that has been ignored will be skipped.
  ignoreObjectSource: true
  
  # By default, PSRule will process all files within an input path.
  ignoreUnchangedPath: true

  pathIgnore:
    # Ignore other files in the repository.
    - '**'

    # Include deployment files.
    - '!deployments/**/*.bicepparam'
    - '!deployments/**/main.bicep'

Bicep file and parameter file:

targetScope = 'managementGroup'

@description('Provide a name for the alias. This name will also be the display name of the subscription.')
param subscriptionAliasName string

@description('Provide the full resource ID of billing scope to use for subscription creation.')
param billingScope string

resource subscriptionAlias 'Microsoft.Subscription/aliases@2021-10-01' = {
  scope: tenant()
  name: subscriptionAliasName
  properties: {
    workload: 'Production'
    displayName: subscriptionAliasName
    billingScope: billingScope
  }

using '../main.bicep'

param billingScope = '/providers/Microsoft.Billing/billingAccounts/07068764-73c0-xxx/billingProfiles/xxx/invoiceSections/xxx

param subscriptionAliasName = 'd-org-001'

Workflow run from main branch:

2024-02-07T07:56:31.4746785Z ##[group]Run microsoft/ps-rule@main
2024-02-07T07:56:31.4747279Z with:
2024-02-07T07:56:31.4747594Z   inputType: inputPath
2024-02-07T07:56:31.4748241Z   inputPath: ./deployments/sub-env-org/parameters/main.dev.bicepparam
2024-02-07T07:56:31.4748998Z   modules: PSRule.Rules.Azure
2024-02-07T07:56:31.4749416Z   baseline: Azure.All
2024-02-07T07:56:31.4749797Z   outputFormat: Sarif
2024-02-07T07:56:31.4750232Z   outputPath: reports/ps-rule-results.sarif
2024-02-07T07:56:31.4750742Z   summary: true
2024-02-07T07:56:31.4751081Z   source: .ps-rule/
2024-02-07T07:56:31.4751441Z   prerelease: false
2024-02-07T07:56:31.4751810Z   repository: PSGallery
2024-02-07T07:56:31.4752171Z ##[endgroup]
2024-02-07T07:56:31.4986262Z ##[group]Run /home/runner/work/_actions/microsoft/ps-rule/main/powershell.ps1 -InputType 'inputPath' -InputPath './deployments/sub-env-org/parameters/main.dev.bicepparam' -Modules 'PSRule.Rules.Azure' -Source '.ps-rule/' -Baseline 'Azure.All' -Conventions '' -Option '' -Outcome '' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Path '' -PreRelease 'false' -Repository 'PSGallery' -Summary 'true' -Version ''
2024-02-07T07:56:31.4991877Z �[36;1m/home/runner/work/_actions/microsoft/ps-rule/main/powershell.ps1 -InputType 'inputPath' -InputPath './deployments/sub-env-org/parameters/main.dev.bicepparam' -Modules 'PSRule.Rules.Azure' -Source '.ps-rule/' -Baseline 'Azure.All' -Conventions '' -Option '' -Outcome '' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Path '' -PreRelease 'false' -Repository 'PSGallery' -Summary 'true' -Version ''�[0m
2024-02-07T07:56:31.5049616Z shell: /usr/bin/pwsh -command ". '{0}'"
2024-02-07T07:56:31.5050155Z ##[endgroup]
2024-02-07T07:56:37.1603708Z [info] Using repository: PSGallery
2024-02-07T07:56:42.3667600Z [info] Installing PSRule: 2.9.0
2024-02-07T07:56:45.3517100Z 
2024-02-07T07:56:45.3565811Z > Checking module: PSRule.Rules.Azure
2024-02-07T07:56:45.9189190Z   - Installing module
2024-02-07T07:56:50.1527431Z   - Using version: 1.33.0
2024-02-07T07:56:50.2127115Z 
2024-02-07T07:56:50.2128258Z [info] Using Version: 2.9.0
2024-02-07T07:56:50.2129456Z [info] Using Action: __microsoft_ps-rule
2024-02-07T07:56:50.2133075Z [info] Using Workspace: /home/runner/work/platform-test1/platform-test1
2024-02-07T07:56:50.2134850Z [info] Using PWD: /home/runner/work/platform-test1/platform-test1
2024-02-07T07:56:50.2231073Z [info] Using Path: /home/runner/work/platform-test1/platform-test1
2024-02-07T07:56:50.2232308Z [info] Using Source: /home/runner/work/platform-test1/platform-test1/.ps-rule/
2024-02-07T07:56:50.2233198Z [info] Using Baseline: Azure.All
2024-02-07T07:56:50.2233727Z [info] Using Conventions: 
2024-02-07T07:56:50.2234230Z [info] Using InputType: inputPath
2024-02-07T07:56:50.2235710Z [info] Using InputPath: /home/runner/work/platform-test1/platform-test1/./deployments/sub-env-org/parameters/main.dev.bicepparam
2024-02-07T07:56:50.2237063Z [info] Using Option: 
2024-02-07T07:56:50.2237598Z [info] Using Outcome: 
2024-02-07T07:56:50.2238007Z [info] Using OutputFormat: Sarif
2024-02-07T07:56:50.2238645Z [info] Using OutputPath: reports/ps-rule-results.sarif
2024-02-07T07:56:50.2239236Z [info] Using Summary: true
2024-02-07T07:56:50.2339961Z 
2024-02-07T07:56:50.2340523Z ---
2024-02-07T07:56:50.5096034Z �[33;1mWARNING: To use PSRule for Azure export cmdlets please install Az.Resources.�[0m
2024-02-07T07:56:50.5846254Z     ____  _____ ____        __
2024-02-07T07:56:50.5847171Z    / __ \/ ___// __ \__  __/ /__
2024-02-07T07:56:50.5847874Z   / /_/ /\__ \/ /_/ / / / / / _ \
2024-02-07T07:56:50.5848647Z  / ____/___/ / _, _/ /_/ / /  __/
2024-02-07T07:56:50.5849349Z /_/    /____/_/ |_|\__,_/_/\___/
2024-02-07T07:56:50.5850074Z 
2024-02-07T07:56:50.5851026Z Using PSRule v2.9.0
2024-02-07T07:56:50.5851877Z Using PSRule.Rules.Azure v1.33.0
2024-02-07T07:56:50.5852484Z 
2024-02-07T07:56:50.5854830Z ----------------------------
2024-02-07T07:56:50.5855526Z Explore documentation: https://aka.ms/ps-rule
2024-02-07T07:56:50.5918062Z Contribute and find source: https://github.com/microsoft/PSRule
2024-02-07T07:56:50.5918942Z Report issues: https://github.com/microsoft/PSRule/issues
2024-02-07T07:56:50.5919975Z PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
2024-02-07T07:56:50.5920581Z ----------------------------
2024-02-07T07:56:50.5920846Z 
2024-02-07T07:56:50.5921528Z From repository: https://github.com/organization/platform-test1
2024-02-07T07:56:50.5922205Z   on : main
2024-02-07T07:56:50.5922577Z   at : d784a64d7844768c70a9e632564e2f171a3d44e8
2024-02-07T07:56:50.5922976Z 
2024-02-07T07:56:51.5958605Z 
2024-02-07T07:56:51.5960077Z Rules processed: 0, failed: 0, errored: 0
2024-02-07T07:56:51.5961895Z Run organization/platform-test1/7811590557 completed in 00:00:00.9983886
2024-02-07T07:56:51.6925864Z Output written to the following file: '/home/runner/work/platform-test1/platform-test1/reports/ps-rule-results.sarif'

Thanks in advance.

Answered by BernieWhite

Feb 11, 2024

@BenjaminEngeset Thanks for confirming. For Bicep this option should have no effect, because the file path and object source path are the same. I'd suggest it's a bug, but since it has not additional functionality in Bicep currently, it's safe to unconfigure.

Logged as microsoft/PSRule#1753

This option use used to help detect changed files, it's used for comparisons. If not set, PSRule will attempt to detect the base path however there is cases when detection is not possible. So setting this option is recommended with ignoreUnchangedPath = true.

View full answer

BernieWhite · 2024-02-07T14:08:24Z

BernieWhite
Feb 7, 2024
Maintainer

@BenjaminEngeset The inputType: parameter must be repository (the default). PSRule for Azure does not support inputType: inputPath, which is a different mode of operation.

Using inputType: repository does not prevent setting a value to scan a specific sub-folder with the inputPath: parameter.

See: https://azure.github.io/PSRule.Rules.Azure/troubleshooting/#no-rules-or-no-azure-resources-are-found

0 replies

BenjaminEngeset · 2024-02-07T15:11:08Z

BenjaminEngeset
Feb 7, 2024
Author

@BernieWhite Thanks. I have changed it to be repository now, however I'm still facing the "same" issue.

   # Run Well-Architected Framework to validate the content of the Bicep deployment file.
      - name: Validate deployment with Well-Architected Framework
        uses: microsoft/ps-rule@main
        with:
          inputType: repository
          inputPath: ${{ inputs.workingDirectory }}/parameters/main.${{ inputs.environment }}.bicepparam
          modules: PSRule.Rules.Azure
          baseline: Azure.All
          outputFormat: Sarif
          outputPath: reports/ps-rule-results.sarif
          summary: true

2024-02-07T14:53:46.0814044Z ##[group]Run microsoft/ps-rule@main
2024-02-07T14:53:46.0814458Z with:
2024-02-07T14:53:46.0814746Z   inputType: repository
2024-02-07T14:53:46.0815306Z   inputPath: ./deployments/sub-env-org/parameters/main.dev.bicepparam
2024-02-07T14:53:46.0815956Z   modules: PSRule.Rules.Azure
2024-02-07T14:53:46.0816332Z   baseline: Azure.All
2024-02-07T14:53:46.0816657Z   outputFormat: Sarif
2024-02-07T14:53:46.0817030Z   outputPath: reports/ps-rule-results.sarif
2024-02-07T14:53:46.0817467Z   summary: true
2024-02-07T14:53:46.0817768Z   source: .ps-rule/
2024-02-07T14:53:46.0818083Z   prerelease: false
2024-02-07T14:53:46.0818402Z   repository: PSGallery
2024-02-07T14:53:46.0818728Z ##[endgroup]
2024-02-07T14:53:46.1068996Z ##[group]Run /home/runner/work/_actions/microsoft/ps-rule/main/powershell.ps1 -InputType 'repository' -InputPath './deployments/sub-env-org/parameters/main.dev.bicepparam' -Modules 'PSRule.Rules.Azure' -Source '.ps-rule/' -Baseline 'Azure.All' -Conventions '' -Option '' -Outcome '' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Path '' -PreRelease 'false' -Repository 'PSGallery' -Summary 'true' -Version ''
2024-02-07T14:53:46.1073825Z �[36;1m/home/runner/work/_actions/microsoft/ps-rule/main/powershell.ps1 -InputType 'repository' -InputPath './deployments/sub-env-org/parameters/main.dev.bicepparam' -Modules 'PSRule.Rules.Azure' -Source '.ps-rule/' -Baseline 'Azure.All' -Conventions '' -Option '' -Outcome '' -OutputFormat 'Sarif' -OutputPath 'reports/ps-rule-results.sarif' -Path '' -PreRelease 'false' -Repository 'PSGallery' -Summary 'true' -Version ''�[0m
2024-02-07T14:53:46.1133285Z shell: /usr/bin/pwsh -command ". '{0}'"
2024-02-07T14:53:46.1133914Z ##[endgroup]
2024-02-07T14:53:57.6261490Z [info] Using repository: PSGallery
2024-02-07T14:54:06.2149645Z [info] Installing PSRule: 2.9.0
2024-02-07T14:54:09.1052947Z 
2024-02-07T14:54:09.1091688Z > Checking module: PSRule.Rules.Azure
2024-02-07T14:54:09.4979113Z   - Installing module
2024-02-07T14:54:13.0748651Z   - Using version: 1.33.0
2024-02-07T14:54:13.1163854Z 
2024-02-07T14:54:13.1166117Z [info] Using Version: 2.9.0
2024-02-07T14:54:13.1169190Z [info] Using Action: __microsoft_ps-rule
2024-02-07T14:54:13.1171985Z [info] Using Workspace: /home/runner/work/platform-test1/platform-test1
2024-02-07T14:54:13.1179815Z [info] Using PWD: /home/runner/work/platform-test1/platform-test1
2024-02-07T14:54:13.1182648Z [info] Using Path: /home/runner/work/platform-test1/platform-test1
2024-02-07T14:54:13.1185413Z [info] Using Source: /home/runner/work/platform-test1/platform-test1/.ps-rule/
2024-02-07T14:54:13.1188950Z [info] Using Baseline: Azure.All
2024-02-07T14:54:13.1191374Z [info] Using Conventions: 
2024-02-07T14:54:13.1193668Z [info] Using InputType: repository
2024-02-07T14:54:13.1196603Z [info] Using InputPath: /home/runner/work/platform-test1/platform-test1/./deployments/sub-env-montelpro/parameters/main.dev.bicepparam
2024-02-07T14:54:13.1200357Z [info] Using Option: 
2024-02-07T14:54:13.1203355Z [info] Using Outcome: 
2024-02-07T14:54:13.1205442Z [info] Using OutputFormat: Sarif
2024-02-07T14:54:13.1208499Z [info] Using OutputPath: reports/ps-rule-results.sarif
2024-02-07T14:54:13.1217727Z [info] Using Summary: true
2024-02-07T14:54:13.1395758Z 
2024-02-07T14:54:13.1397631Z ---
2024-02-07T14:54:13.4073846Z �[33;1mWARNING: To use PSRule for Azure export cmdlets please install Az.Resources.�[0m
2024-02-07T14:54:13.4736688Z     ____  _____ ____        __
2024-02-07T14:54:13.4737428Z    / __ \/ ___// __ \__  __/ /__
2024-02-07T14:54:13.4737981Z   / /_/ /\__ \/ /_/ / / / / / _ \
2024-02-07T14:54:13.4738531Z  / ____/___/ / _, _/ /_/ / /  __/
2024-02-07T14:54:13.4739201Z /_/    /____/_/ |_|\__,_/_/\___/
2024-02-07T14:54:13.4739749Z 
2024-02-07T14:54:13.4740812Z Using PSRule v2.9.0
2024-02-07T14:54:13.4741269Z Using PSRule.Rules.Azure v1.33.0
2024-02-07T14:54:13.4741736Z 
2024-02-07T14:54:13.4744692Z ----------------------------
2024-02-07T14:54:13.4745658Z Explore documentation: https://aka.ms/ps-rule
2024-02-07T14:54:13.4746429Z Contribute and find source: https://github.com/microsoft/PSRule
2024-02-07T14:54:13.4747264Z Report issues: https://github.com/microsoft/PSRule/issues
2024-02-07T14:54:13.4840348Z PSRule.Rules.Azure: https://aka.ms/ps-rule-azure
2024-02-07T14:54:13.4840889Z ----------------------------
2024-02-07T14:54:13.4841131Z 
2024-02-07T14:54:13.4841494Z From repository: https://github.com/org/platform-test1
2024-02-07T14:54:13.4842059Z   on : main
2024-02-07T14:54:13.4842414Z   at : 98c1dda4eb63baff31a7065159d1091b83225020
2024-02-07T14:54:13.4842761Z 
2024-02-07T14:54:14.3814586Z 
2024-02-07T14:54:14.3817967Z Rules processed: 0, failed: 0, errored: 0

1 reply

BernieWhite Feb 8, 2024
Maintainer

@BenjaminEngeset Next thought would be to double check that the /./ in the inputPath: is not being handled and is causing the file to be ignored because !deployments/**/*.bicepparam is not applying. Updating the inputPath: or using !**/deployments/**/*.bicepparam might address this.

2024-02-07T07:56:50.2235710Z [info] Using InputPath: /home/runner/work/platform-test1/platform-test1/./deployments/sub-env-org/parameters/main.dev.bicepparam

BenjaminEngeset · 2024-02-08T07:40:08Z

BenjaminEngeset
Feb 8, 2024
Author

@BenjaminEngeset Next thought would be to double check that the /./ in the inputPath: is not being handled and is causing the file to be ignored because !deployments/**/*.bicepparam is not applying. Updating the inputPath: or using !**/deployments/**/*.bicepparam might address this.
2024-02-07T07:56:50.2235710Z [info] Using InputPath: /home/runner/work/platform-test1/platform-test1/./deployments/sub-env-org/parameters/main.dev.bicepparam

@BernieWhite Thanks, I have tried both actually without success. Still no rules are being processed.

inputPath: deployments/sub-env-org/parameters/main.dev.bicepparam

[info] Using InputPath: /home/runner/work/platform-test1/platform-test1/deployments/sub-env-org/parameters/main.dev.bicepparam

Current repository structure:

Do you have an additional thing I can check? The azure/arm-deploy@v1action is capable of locating the file.

1 reply

BernieWhite Feb 9, 2024
Maintainer

@BenjaminEngeset How are you using the Input.IgnoreUnchangedPath option?

When this option set to true only files that are changed as part of a pull request are scanned. For it to scan any files you would have to have some changed .bicepparam files in your branch, and specifically with the combination of inputPath: parameter deployments/sub-env-org/parameters/main.dev.bicepparam would have to be changed.

To have files scanned when deployments/sub-env-org/main.bicep is changed as well you need to add a convention to handle the related file.

BenjaminEngeset · 2024-02-09T16:47:29Z

BenjaminEngeset
Feb 9, 2024
Author

@BenjaminEngeset How are you using the Input.IgnoreUnchangedPath option?

When this option set to true only files that are changed as part of a pull request are scanned. For it to scan any files you would have to have some changed .bicepparam files in your branch, and specifically with the combination of inputPath: parameter deployments/sub-env-org/parameters/main.dev.bicepparam would have to be changed.

To have files scanned when deployments/sub-env-org/main.bicep is changed as well you need to add a convention to handle the related file.

@BernieWhite I have been using the Input.IgnoreUnchangedPath in combination with repository.baseRef to only have the changed files in the PR opened to be scanned. From my understanding both of these configurations are needed together to make it work. But then, I have used repository only and not defined any inputPath at all.

Now I'm going to use PSRule for deployment repository, where I want the same behavior, but I'm also going to scan it after it's merged into main branch, because each deployment file should have PSRule scanning before deployment to the according environment.

I have configured ignoreUnchangedPath: false now, but still no rules hits my deployment file when being in main branch.

7 replies

BenjaminEngeset Feb 10, 2024
Author

@BernieWhite That didn't work, but commenting out the path ignore did the trick. The file is analyzed as expected.

What do you think would be the next step here?

BernieWhite Feb 11, 2024
Maintainer

@BenjaminEngeset Let's try removing the ignoreObjectSource option.

BenjaminEngeset Feb 11, 2024
Author

@BernieWhite Looks like ignoreObjectSource is the root of the problem. Can you elaborate on why that is the matter?

I'm also wondering if the repository.baseRef has any value when using inputPath instead of the whole repository.

BernieWhite Feb 11, 2024
Maintainer

@BenjaminEngeset Thanks for confirming. For Bicep this option should have no effect, because the file path and object source path are the same. I'd suggest it's a bug, but since it has not additional functionality in Bicep currently, it's safe to unconfigure.

Logged as microsoft/PSRule#1753

This option use used to help detect changed files, it's used for comparisons. If not set, PSRule will attempt to detect the base path however there is cases when detection is not possible. So setting this option is recommended with ignoreUnchangedPath = true.

Answer selected by BenjaminEngeset

BenjaminEngeset Feb 22, 2024
Author

Should we mark this as answered @BernieWhite?

BernieWhite Feb 22, 2024
Maintainer

Yes please.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Using PSRule with Bicep parameter file, no rules processed as expected #2678

{{title}}

Replies: 4 comments 9 replies

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Using PSRule with Bicep parameter file, no rules processed as expected #2678

BenjaminEngeset Feb 7, 2024

Replies: 4 comments · 9 replies

BernieWhite Feb 7, 2024 Maintainer

BenjaminEngeset Feb 7, 2024 Author

BernieWhite Feb 8, 2024 Maintainer

BenjaminEngeset Feb 8, 2024 Author

BernieWhite Feb 9, 2024 Maintainer

BenjaminEngeset Feb 9, 2024 Author

BenjaminEngeset Feb 10, 2024 Author

BernieWhite Feb 11, 2024 Maintainer

BenjaminEngeset Feb 11, 2024 Author

BernieWhite Feb 11, 2024 Maintainer

BenjaminEngeset Feb 22, 2024 Author

BernieWhite Feb 22, 2024 Maintainer

BenjaminEngeset
Feb 7, 2024

Replies: 4 comments 9 replies

BernieWhite
Feb 7, 2024
Maintainer

BenjaminEngeset
Feb 7, 2024
Author

BernieWhite Feb 8, 2024
Maintainer

BenjaminEngeset
Feb 8, 2024
Author

BernieWhite Feb 9, 2024
Maintainer

BenjaminEngeset
Feb 9, 2024
Author

BenjaminEngeset Feb 10, 2024
Author

BernieWhite Feb 11, 2024
Maintainer

BenjaminEngeset Feb 11, 2024
Author

BernieWhite Feb 11, 2024
Maintainer

BenjaminEngeset Feb 22, 2024
Author

BernieWhite Feb 22, 2024
Maintainer